Awesome Open Source
Awesome Open Source


Build Status Code coverage Code style Dependency Status Dev Dependency Status NPM version NPM downloads NPM license

Fastify plugin for HTTP Strict Transport Security


You may know hsts as a hsts middleware used in helmet. And you could use it as a middleware in fastify also. So why i made this plugin?

You may find the reason in benchmark result and wish you like it. :)


This plugin has passed all hsts test cases. But there are some differences to it:

  • Will use default value if no maxAge option or it's invalid.
  • Will ignore setIf if it's not a function.


Via npm:

npm i fastify-hsts

Via yarn:

yarn add fastify-hsts


const fastify = require('fastify');
const fastifyHsts = require('fastify-hsts');

const app = fastify();
app.register(fastifyHsts, {
  // Your options

app.listen(3000, err => {
  if (err) throw err;


This plugin has the same options as the middleware in helmet.

maxAge {number}

Set max-age in header. Default is 15552000 which means 180 days in seconds. Plugin will use default value if you passed in a non-numeric value.

includeSubDomains {boolean}

Set includeSubDomains value in header. Default is true. You could see more informations here for this value.

includeSubdomains {boolean}

Alias to includeSubDomains.

preload {boolean}

Set preload value in header. Default is false. You could see more informations here for this value.

setIf {function}

This plugin will always set the header since the header is ignored in insecure HTTP. But if you wish to set it conditionally, you could use this.

app.register(fastifyHsts, {
  setIf: (request, reply) => {
    // request is the fastify request instance
    // reply is the fastify reply instance
    // should return a truly value for setting header


  • 0.3.0
    • Use hsts test cases
  • 0.2.0
    • Add test case
    • Add code coverage
    • Add benchmarks
  • 0.1.0
    • Init version
Related Projects